Does Istio support proxy protocol?
You may have to apply this:
apiVersion: networking.istio.io/v1alpha3kind: EnvoyFiltermetadata: name: proxy-protocol namespace: istio-systemspec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: LISTENER patch: operation: MERGE value: listener_filters: - name: envoy.listener.proxy_protocol - name: envoy.listener.tls_inspector
As my istio ingress gateway is behind AWS ELB, I also had to enable proxy protocol on ELB:
apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata: namespace: istio-systemspec: profile: default components: ingressGateways: - name: istio-ingressgateway namespace: istio-system enabled: true # Copy settings from istio-ingressgateway as needed. values: gateways: istio-ingressgateway: serviceAnnotations: # Note that Helm values (spec.values.gateways.istio-ingressgateway/egressgateway) # are shared by all ingress/egress gateways. # If these must be customized per gateway, # it is recommended to use a separate IstioOperator CR # Enable Prox protocol service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
If you will miss envoy.listener.tls_inspector
you will get:
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxxopenssl: no peer certificate available